The volume action "os-extend" API does not check policy
Bug #1682211 reported by
Matt Riedemann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Invalid
|
Undecided
|
Unassigned |
Bug Description
There is a "volume:extend" policy rule defined in cinder's default policy.json file but that rule is not checked in the actual code for the os-extend volume action API. So if a deployer wants to disable this feature from owners (end users) of the volume, and restrict it to just admins, they can't because the code doesn't enforce it.
This is most likely true for a lot of volume action APIs.
To post a comment you must log in.
Nevermind I'm wrong, it's checked in the volume API code here:
https:/ /git.openstack. org/cgit/ openstack/ cinder/ tree/cinder/ volume/ api.py? h=10.0. 1#n1271
The name of the method is used to match it to the policy.